The risks keep rising, so why are we still asking customers to say their card details out loud?

In this guest post, Tim Critchley, Semafone CEO, considers the rise of phone-based transactions and what they mean for companies and customers in terms of security, and the consequences when it’s not up to scratch.

Looking back over the last 12 months, 2015 could well become known as the year of the data breach thanks to some high-profile cases hitting news headlines. While this means data security is certainly becoming front-of-mind for C-level executives, 2016 is more than likely going to see its own spate of attacks. In 2015, we conducted our own research into telephone payment security and the associated threats, which surveyed more than 160 UK and US professionals working with card payments, to shine a light on the attitudes and practices that could be leaving consumers at risk. The results showed that the number of customers using the telephone to pay for goods and services continues to rise; 87 per cent of UK and 84 per cent of US respondents reported processing more transactions via phone. Yet in spite of this growth, 80 per cent of UK and 82 per cent of US respondents still ask customers to read their details out loud when processing transactions, indicating a troubling disregard for data protection.

The rise in phone-based transactions may be able to be attributed to the hesitancy of consumers to readily give out their payment card details online in the wake of some much-talked-about security breaches, combined with a growing awareness of having to be more cautious with online payments. But the move towards phone payments also makes a lot of sense when you consider that if a customer encounters a problem during an online payment, such as a webpage failing to load or a transaction being delayed, they turn to call centre agents to rectify the situation. Talking to a human being also means customers can ask about the fine print (automatic renewals, cancellation periods etc) that is often difficult to find online. Ultimately, having a conversation with a call centre agent leaves people feeling more confident about what they’re paying for as well as more satisfied with the level of customer service.

Yet customers deserve to feel confident about not only the product, but also the level of security around their payment. The number of call centre agents who continue to ask for details verbally is extraordinary, given how frequently people are in a public space when paying over the phone, with any random passer-by able to overhear and steal card details. What’s more, reading out card numbers can potentially give agents unwanted opportunity to copy the numbers.

While companies should have designated HR processes to deal with potential insider threats, such as regular background or credit checks and a comprehensive whistle-blower policy to protect employees who report suspicious activity, clearly there are many points of risk involved in telephone payments. Without the right security in place, your customer data is exposed to theft and your company is exposed to huge fines. For example, the new EU regulations stipulate fines of up to 4% of revenue. These will start to come into effect over the next two years, along with a raft of other laws that will impact companies that take or store customer data. The Payment Card Industry Data Security Standard (PCI DSS) also specifies strict rules about how card data must be handled, and demands merchants meet a certain level of security, with costly consequences should you fail to adhere to the controls.

Not only do data breaches mean potential fines, they also leave companies open to severe reputational damage, which in itself can be costly and sometimes irreparable. In fact, according to the Ponemon Institute’s 2015 Cost of a Data Breach Study, the average cost of a data breach to a company sits at $3.79 million US, which is a 23 per cent increase over the last two years. Much of this figure can be attributed to the loss of business as a result of decreased customer trust and loyalty. Considering we are talking about the theft of peoples’ personal and private details, it is not hard to see why they may be hesitant to do business with a company that has fallen victim to an attack on data. Earning back customer trust can be an expensive and difficult exercise. And in extreme circumstances, a company may even find itself having to build a completely new customer base from scratch. Clearly this is a situation every business should be doing as much as possible to avoid.

Obviously, storing customer card details within your core operations poses a significant risk, especially as hackers continue to develop clever and sophisticated ways of stealing information without being detected. So how do you, as a business, ensure you have protected your telephone payments? The easiest and most secure solution is to not handle the customer data in the first place. Thankfully, certain solutions exist that allow you to bypass the call centre infrastructure altogether and send the information directly to the relevant bank.

With such a simple and efficient way to protect customer information, it is no longer acceptable for the voice channel to represent a weak point in payment security. Businesses need to ensure that they are giving as much attention to protecting customers who pay over the phone as they do those who pay online.